One document matched: draft-ietf-crisp-lw-dns-00.txt
INTERNET-DRAFT Eric A. Hall
Document: draft-ietf-crisp-lw-dns-00.txt July 2002
Expires: January, 2003
Category: Standards-Track
Defining and Locating DNS Domains
using the Internet Resource Query Service
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
1. Abstract
This document defines LDAP schema and searching rules for DNS
domains, in support of the Internet Resource Query Service
described in [ldap-whois].
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
2. Definitions and Terminology
This document unites, enhances and clarifies several pre-existing
technologies. Readers are expected to be familiar with the
following specifications:
RFC 2247 - Using Domains in LDAP/X.500 DNs
RFC 2251 - Lightweight Directory Access Protocol (v3)
RFC 2252 - Lightweight Directory Access Protocol (v3):
Attribute Syntax Definitions.
RFC 2254 - The String Representation of LDAP Search Filters
[ir-dir-req] - <draft-newton-ir-dir-requirements-00.txt> -
Internet Registry Directory Requirements
[ldap-whois] - <draft-ietf-crisp-lw-core-00.txt> - The
Internet Resource Query Service and the Internet Resource
Schema
The following abbreviations are used throughout this document:
DIT (Directory Information Tree) - A DIT is a contained
branch of the LDAP namespace, having a root of a particular
distinguished name. "dc=example,dc=com" is used throughout
this document as one DIT, with many example entries being
stored in this DIT.
DN (Distinguished Name) - A distinguished name provides a
unique identifier for an entry, through the use of a multi-
level naming syntax. Entries are named according to their
location relevant to the root of their containing DIT. For
example, "cn=inetResources,dc=example,dc=com" is a DN which
uniquely identifies the "inetResources" entry within the
"dc=example,dc=com" DIT.
RDN (Relative DN) - An RDN provides a locally-scoped unique
identifier for an entry. A complete, globally-unique DN is
formed by concatenating the RDNs of an entry together. For
example, "cn=admins,cn=inetResources,dc=example,dc=com"
consists of two RDNs ("cn=admins" and "cn=inetResources")
within the "dc=example,dc=com" DIT. RDNs are typically only
referenced within their local scope.
Hall & Newton I-D Expires: August 2002 [page 2]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
OID (Object Identifier) - An OID is a globally-unique,
concatenated set of integers which provide a kind of
"serial number" to attributes, object classes, syntaxes and
other schema elements.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in RFC 2119.
3. The inetDnsDomain Object Class
The inetDnsDomain object class is a structural object class which
provides administrative information about a specific DNS domain
name resource, such as a zone, a well-known host, or some other
network resource which is primarily identified by a domain name.
3.1. Naming syntax
The naming syntax for DNS domain entries MUST follow the form of
"cn=<inetDnsDomainSyntax>,cn=inetResources,<dc-DIT>". Each DNS
domain name which is managed as a discrete LDAP-WHOIS resource
MUST have a dedicated entry in each of the DITs which provide
public LDAP-WHOIS data for that resource.
The inetDnsDomainSyntax component of an entry is subject to DN
rules, although the inetDnsDomainSyntax is also used for extended
search operations, and is therefore subject to specific syntax
rules. The basic rules for this format are that domain names MUST
be stored as sequences of labels, where each label consists of a
maximum of 63 characters, with each label being separated by a
full-stop (period) character, and with the entire domain name
sequence being a maximum of 255 characters.
For example, the "www.example.com" DNS domain name resource stored
in the "dc=example,dc=com" DIT would be represented as an entry
named "cn=www.example.com,cn=inetResources,dc=example,dc=com",
while the "2.0.192.in-addr.arpa" reverse-lookup domain which was
stored in the "dc=example,dc=com" DIT would be named
"cn=2.0.192.in-addr.arpa,cn=inetResources,dc=example,dc=com".
Note that the domain name syntax rules defined by STD 13 allow any
eight-bit character code to be used within any domain name,
although the host naming rules defined by RFC 952, STD 13 and STD
Hall & Newton I-D Expires: August 2002 [page 3]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
3 only allow a subset of the printable characters from US-ASCII to
be used for domain names which specify connection targets.
However, many domain names will need to be queried which will not
conform to the host naming rules ("_ldap._tcp.example.com" might
be specified in a search, for example), so any eight-bit character
MUST be considered valid for this service.
RFC 2253 defines several escaping mechanisms for use when handling
certain "special" characters, and these mechanisms MUST be used
whenever a character in a domain name needs to be escaped in order
for an assertion value to be parsed. However, STD 13 also allows
the use of special characters, and also provides several
mechanisms for escaping special characters in DNS domain names,
and these rules MUST also be accommodated if valid DNS names are
to be supported.
In order to facilitate this potential overlap while minimizing
confusion during handling, LDAP-WHOIS clients MUST allow DNS
domain name query strings to be entered as raw eight-bit data, but
if any of the characters need to be escaped for the assertion
value to be properly built, then the client MUST escape these
characters before the search is submitted.
Secondarily, if the user needs to search for a DNS domain name
which would normally require escaping or other special handling in
order for the domain name to be processed, then the user MUST
provide the domain name in its escaped form. By extension, this
also means that these DNS domain names MUST be stored as RDNs in
their escaped form.
STD 13 and RFC 2253 both use a common method of escaping special
characters with a reverse solidus (backslash) character, with
either the special character or a two-digit decimal code for that
character immediately following the reverse solidus.
For example, if a user needs to specify the domain name of
"weird name.example.com" (where "weird name" is a valid domain
name label with an embedded space), then the domain name would
have an RDN of "cn=weird\32name.example.com" in the directory, and
would have to be entered into the client as a search for
"weird\32name.example.com". The client would then perform a
secondary escape to form "weird\\32name.example.com" as the
assertion value, and this secondary escape would be removed by the
LDAP-WHOIS server upon receipt. Thus a match would be found.
Hall & Newton I-D Expires: August 2002 [page 4]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
NOTE: Remember that IPv4 addresses are also stored in DNS
for reverse-lookup purposes, and the associated zones and
PTR domain names may also require escaping, particularly
when used with site-specific CIDR notation.
The common reference to the root domain is a single full-stop
(".") character, and this usage is also endorsed by this document
when the root domain name needs to be explicitly queried. For any
domain name which contains a non-root label, the trailing period
which normally signifies the root domain MUST be omitted. The
maximum size of a valid DNS domain name is 255 characters (this
limit applies to the unescaped assertion value). Clients MUST
restrict input to this range, prior to submitting the LDAP query.
The domain name component of the DN MUST match the domain name of
the managed resource exactly as the domain name exists in the DNS
namespace. For example, if an organization wishes to provide
information about "www.example.com", then a RDN entry would need
to exist for "cn=www.example.com". If an organization wishes to
provide information about the "www.example.com" canonical target
"server1.example.net", then a RDN for "cn=server1.example.net"
would need to exist. If an organization wishes to provide
information about "server1.example.net" whenever a query is
received for "www.example.com", then the "cn=www.example.com"
entry would need to be defined as a subordinate reference
referral, with the ref attribute pointing to the
"cn=server1.example.net" entry.
This usage model also applies to reverse-lookup domains. If an
organization is the authority for the "2.0.192.in-addr.arpa"
reverse-lookup domain associated with an IPv4 network (this is
different from providing information about the network block in
particular, as is discussed separately in [ldap-whois-ipv4] and
[ldap-whois-ipv6], then that syntax would also be used to form the
RDN for the associated inetDnsDomain entry.
Note that reverse-lookup domain names are mapped directly as they
exist in the public DNS namespace. If a /24 IPv4 network block
such as 192.0.2.0 has been delegated to an organization, the
default controlling domain name of the reverse-lookup zone will be
2.0.192.in-addr.arpa, and the name of the associated LDAP-WHOIS
entry would be "cn=2.0.192.in-addr.arpa". However, if that network
had been delegated to an ISP who had in turn delegated the
192.0.2.0/29 address block and an associated reverse-lookup zone
of 29-0.2.0.192.in-addr.arpa to a user, then the associated LDAP-
WHOIS entry for that zone would be "cn=29-0.2.0.192.in-addr.arpa".
Hall & Newton I-D Expires: August 2002 [page 5]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
3.2. Schema definition
DNS domain name entries MUST exist with the top, inetResources and
inetDnsDomain object classes defined. If an entry exists as a
referral, the entry MUST also be defined with the referral object
class, in addition to the above requirements.
The inetDnsDomain object class is a structural object class which
is subordinate to the inetResources object class, and which MUST
be treated as a container class capable of holding additional
subordinate entries. The inetDnsDomain object class has no
mandatory attributes, although it does have several optional
attributes.
The inetDnsDomain object class defines attributes which are
specific to DNS domains, particularly as this relates to domain
delegation (DNS operational information is available through DNS
itself). This includes information such as the delegation date and
the status of the delegation. The inetDnsDomain object class is
subordinate to the inetResources object class, so it inherits
those attributes as well.
Some of the inetDnsDomain object class attributes define contact-
related referrals which provide LDAP URLs that refer to
inetOrgPerson entries, and these entries will need to be queried
separately if detailed information about a particular contact is
required. The contact attribute values follow the same rules as
the labeledURI attribute defined in RFC 2079, with additional
restrictions described in [ldap-whois].
The various ModifiedBy and ModifiedDate attributes SHOULD be
treated as operational attributes. Their values SHOULD be filled
in automatically by the database management application, and
SHOULD NOT be returned except when explicitly requested.
Hall & Newton I-D Expires: August 2002 [page 6]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
The schema definition for the inetDnsDomain object class is as
follows:
inetDnsDomain
( 1.3.6.1.4.1.7161.1.1.0 NAME 'inetDnsDomain' DESC 'DNS
domain attributes.' SUP inetResources STRUCTURAL MAY (
inetDnsDelegationStatus $ inetDnsDelegationDate $
inetDnsDelegationModifiedDate $ inetDnsDelegationModifiedBy
$ inetDnsContacts $ inetDnsContactsModifiedBy $
inetDnsContactsModifiedDate $ inetDnsAuthServers ) )
The attributes from the inetDnsDomain object class are described
below:
inetDnsAuthServers
( 1.3.6.1.4.1.7161.1.1.2 NAME 'inetDnsAuthServers' DESC
'Authoritative DNS servers for this domain.' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The inetDnsAuthServers attribute provides a read-only
summary of the authoritative servers associated with the
zone. The attribute is defined as multi-valued, with each
attribute value currently (tentatively) being defined as:
domain.dom [address/prefix]
where "domain.dom" is the domain name of the authoritative
server, written as an inetDnsDomainSyntax string, and where
"address/prefix" is an IPv4 or IPv6 host-specific network
address, written as either an inetIpv4NetworkSyntax or
inetIpv6NetworkSyntax string. Clients that wish to obtain
additional information about the listed servers can issue
new queries for either the domain name or address syntax.
NOTE: THIS IS A TEMPORARY ATTRIBUTE WHICH WILL EVENTUALLY
BE REPLACED WITH GENERALIZED RESOURCE-RECORD ENTRIES AND
ATTRIBUTES.
inetDnsContacts
( 1.3.6.1.4.1.7161.1.1.3 NAME 'inetDnsContacts' DESC
'Contacts for reporting problems with this domain name.'
EQUALITY caseExactMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
Hall & Newton I-D Expires: August 2002 [page 7]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
inetDnsContactsModifiedBy
( 1.3.6.1.4.1.7161.1.1.4 NAME 'inetDnsContactsModifiedBy'
DESC 'Person who last modified the inetDnsContacts
attribute.' EQUALITY distinguishedNameMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE
distributedOperation )
inetDnsContactsModifiedDate
( 1.3.6.1.4.1.7161.1.1.5 NAME 'inetDnsContactsModifiedDate'
DESC 'Last modification date of the inetDnsContacts
attribute.' EQUALITY generalizedTimeMatch ORDERING
generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE
distributedOperation )
inetDnsDelegationDate
( 1.3.6.1.4.1.7161.1.1.6 NAME 'inetDnsDelegationDate' DESC
'Date of original delegation.' EQUALITY
GeneralizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
inetDnsDelegationModifiedBy
( 1.3.6.1.4.1.7161.1.1.7 NAME 'inetDnsDelegationModifiedBy'
DESC 'Person who last modified the inetDnsDelegationStatus
attribute.' EQUALITY distinguishedNameMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE
distributedOperation )
inetDnsDelegationModifiedDate
( 1.3.6.1.4.1.7161.1.1.8 NAME 'inetDnsDelegationModifiedDate'
DESC 'Last modification date of the inetDnsDelegationStatus
attribute.' EQUALITY generalizedTimeMatch ORDERING
generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE
distributedOperation )
inetDnsDelegationStatus
( 1.3.6.1.4.1.7161.1.1.9 NAME 'inetDnsDelegationStatus' DESC
'Current delegation status code for this domain.' EQUALITY
numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{2}
SINGLE-VALUE )
NOTE: In an effort to facilitate internationalization and
programmatic processing, the current status of a delegation
is identified by a 16-bit integer. The values and status
mapping is as follows:
Hall & Newton I-D Expires: August 2002 [page 8]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
0 Reserved delegation (permanently inactive)
1 Assigned and active (normal state)
2 Assigned but not yet active (new delegation)
3 Assigned but on hold (disputed)
4 Assignment revoked (database purge pending)
Additional values for the inetDnsDelegationStatus attribute
are reserved for future use, and are to be administered by
IANA. Note that there is no status code for "unassigned";
unassigned entries SHOULD NOT exist, and SHOULD NOT be
returned as answers.
The inetDnsDomainSyntax syntax is as follows:
inetDnsDomainSyntax
( 1.3.6.1.4.1.7161.1.1.1 NAME 'inetDnsDomainSyntax' DESC 'A
fully-qualified DNS domain name.' )
3.3. Example
An example of the inetDnsDomain object class in use is shown in
Figure 1 below, with some additional attributes inherited from the
parent inetResources entry. This query is most likely being sent
to the LDAP servers responsible for operating the "example.com"
DNS domain.
cn=example.com,cn=inetResources,dc=example,dc=com
[top object class]
[inetResources object class]
[inetDnsDomain object class]
|
+-attribute: description
| value: "The example.com DNS domain"
|
+-attribute: inetDnsContacts
| value: "ldap://ldap.example.com/cn=hostmaster,ou=admins,
| dc=example,dc=com"
|
+-attribute: inetGeneralContacts
value: "ldap://ldap.example.com/cn=admins,ou=admins,
dc=example,dc=com"
Figure 1: The example.com inetDnsDomain entry.
Hall & Newton I-D Expires: August 2002 [page 9]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
4. The inetDnsDomainMatch Filter
The inetDnsDomainMatch filter provides an identifier and search
string format which collectively inform a queried server that a
specific DNS domain name should be searched for, and that any
matching inetDnsDomain object class entries should be returned.
The inetDnsDomainMatch extensibleMatch filter is defined as
follows:
inetDnsDomainMatch
( 1.3.6.1.4.1.7161.1.1.9 NAME 'inetDnsDomainMatch' SYNTAX
inetDnsDomainSyntax )
The assertion value MUST be a valid DNS domain name, using the
inetDnsDomainSyntax syntax rules defined in section 3.
The server MUST compare the assertion value against the RDN of all
entries in the inetResources container which have an object class
of inetDnsDomain. Any entry for a DNS domain resource which is
clearly superior to the DNS domain name provided in the input
string MUST be returned to the client. Entries which do not
encompass the queried domain name MUST NOT be returned. Entries
which do not have an object class of inetDnsDomain MUST NOT be
returned.
For example, assume that the client has issued a query with the
assertion value of "www.example.com". If the queried server has an
inetDnsDomain object class entry with a DN of
"cn=example.com,cn=inetResources,dc=com", then that entry would be
returned to the client. Similarly, a continuation reference
referral of "cn=cref1,cn=example.com,cn=inetResources,dc=com"
would also be returned, since it has a "cn" component that is
superior to the queried domain name, and has the inetDnsDomain
object class.
Domain names MUST be compared on label boundaries, and MUST NOT be
qualified through simple character matching. Given two entries of
"cn=example.com" and "cn=an-example.com", only the first would
match an assertion value of "example.com".
Using the notation format described in RFC 2254, the search filter
expression for the inetDnsDomainMatch query above would be written
as "(1.3.6.1.4.1.7161.1.1.9:=www.example.com)".
Hall & Newton I-D Expires: August 2002 [page 10]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
Response entries MAY be fully-developed inetDnsDomain entries, or
MAY be referrals generated from entries which have the
inetDnsDomain and referral object classes defined. Any attribute
values which are received MUST be displayed by the client. If a
subordinate reference referral is received, the client MUST
restart the query, using the provided data as the new search base.
If any continuation reference referrals are received, the client
SHOULD start new queries for each reference, and append the output
of those queries to the original query's output.
5. Security Considerations
This document describes an application of the LDAPv3 protocol, and
as such it inherits the security considerations associated with
LDAPv3, as described in section 7 of RFC 2251.
By nature, LDAP is a read-write protocol, while the legacy WHOIS
service has always been a read-only service. As such, there are
significant risks associated with allowing unintended updates by
unauthorized third-parties. Moreover, allowing the LDAP-WHOIS
service to update the underlying delegation databases could result
in network resources being stolen from their lawful operators. For
example, if the LDAP front-end had update access to a domain
delegation database, a malicious third-party could theoretically
take ownership of that domain by exploiting an authentication
weakness, thereby causing ownership of the domain to be changed to
another party. For this reason, it is imperative that the LDAP-
WHOIS service not be allowed to make critical modifications to
delegated resources without ensuring that all possible precautions
have been taken.
The query processing models described in this document make use of
DNS lookups in order to locate the LDAP servers associated with a
particular resource. DNS is susceptible to certain attacks and
forgeries which may be used to redirect clients to LDAP servers
which are not authoritative for the resource in question.
Some operators may choose to purposefully provide misleading or
erroneous information in an effort to avoid responsibility for bad
behavior. In addition, there are likely to be sporadic operator
errors which will result in confusing or erroneous answers.
This document provides multiple query models which will cause the
same query to be answered by different servers (one would be
processed by a delegation entity, while another would be processed
by an operational entity). As a result, each of the servers may
Hall & Newton I-D Expires: August 2002 [page 11]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
provide different information, depending upon the query type that
was originally selected.
For all of the reasons listed above, it is essential that
applications and end-users not make critical decisions based on
the information provided by the LDAP-WHOIS service without having
reason to believe the veracity of the information. Users should
limit unknown or untrusted information to routine purposes.
Finally, there are physical security issues associated with any
service which provides physical addressing and delivery
information. Although organizations are generally encouraged to
provide as much information as they feel comfortable with, no
information is required.
6. IANA Considerations
This document defines an application of the LDAPv3 protocol rather
than a new Internet application protocol. As such, there are no
protocol-related IANA considerations.
However, this document does define several LDAP schema elements,
including object classes, attributes, syntaxes and extensibleMatch
filters, and these elements should be assigned OID values from the
IANA branch, rather than being assigned from a particular
enterprise branch.
Finally, this document also describes several instances where
public DNS and LDAP servers are queried. It is expected that IANA
will establish and maintain these LDAP servers (and the necessary
DNS SRV domain names and resource records) required for this
service to operate. This includes providing SRV resource records
in the generic TLDs and the root domain, and also includes
administering the referenced LDAP servers.
7. Author's Addresses
Eric A. Hall
ehall@ehsco.com
8. References
RFC 2247 - Using Domains in LDAP/X.500 DNs
Hall & Newton I-D Expires: August 2002 [page 12]
Internet Draft draft-ietf-crisp-lw-dns-00.txt July 2002
RFC 2251 - Lightweight Directory Access Protocol (v3)
RFC 2252 - Lightweight Directory Access Protocol (v3):
Attribute Syntax Definitions.
RFC 2254 - The String Representation of LDAP Search Filters
[ir-dir-req] - <draft-newton-ir-dir-requirements-00.txt> -
Internet Registry Directory Requirements
[ldap-whois] - <draft-ietf-crisp-lw-core-00.txt> - The
Internet Resource Query Service and the Internet Resource
Schema
[ldap-whois-ipv4] - <draft-ietf-crisp-lw-ipv4-00.txt> -
Defining and Locating IPv4 Address Blocks using the
Internet Resource Query Service
[ldap-whois-ipv6] - <draft-ietf-crisp-lw-ipv6-00.txt> -
Defining and Locating IPv6 Address Blocks using the
Internet Resource Query Service
9. Acknowledgments
Portions of this work were funded by Network Solutions, Inc.
Hall & Newton I-D Expires: August 2002 [page 13]
| PAFTECH AB 2003-2026 | 2026-04-24 01:33:21 |